CN110383762B

CN110383762B - Method, device and system for realizing policy control

Info

Publication number: CN110383762B
Application number: CN201780087861.XA
Authority: CN
Inventors: 胡翔; 夏渊; 陈中平; 周汉; 朱泉
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2017-04-14
Filing date: 2017-04-14
Publication date: 2021-08-03
Anticipated expiration: 2037-04-14
Also published as: EP3584995B1; JP6946607B2; CN110383762A; EP3584995A1; WO2018188082A1; JP2020517132A; US20200045770A1; EP3584995A4

Abstract

The invention provides a scheme for realizing policy control, wherein a core network opens a service policy to an application server, the application server further authorizes the service policy to user equipment, and the user equipment pushes the service policy to be used by the access application server to the core network before accessing the service provided by the application server, so that the core network equipment carries out policy control such as charging, QoS, routing, gating, redirection and the like on service flow or data messages between the user equipment and the application server according to the service policy pushed by the user equipment. Because the user equipment is most clear about the service to be accessed, the accuracy of the policy control is improved and the difficulty of the core network in service perception is reduced by enabling the user equipment to participate in the process of the core network policy determination or policy control.

Description

Method, device and system for realizing policy control

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for implementing policy control.

Background

In the current 2G, 3G or 4G Network architecture, a Gateway device in a Packet core Network, such as a GGSN (Gateway GPRS Support Node), an SGW (Serving Gateway) or a PGW (Packet Data Network Gateway), detects a service Data stream based on its service awareness and analysis capability, and obtains a Policy signed by a user or a Policy locally configured by the Gateway from a Policy control Function entity such as PCRF (Policy and Charging Rules Function) or AAA (Authentication, Authorization, Accounting, Authentication and Accounting server), so as to perform Policy matching, and further perform corresponding Policy control according to an action defined in the matched rule, such as QoS control, bandwidth management, Charging management, and the like. In 4.5G and future 5G network architectures, network elements or functional entities of a packet core network may implement separate deployment of a control plane and a user plane, but the flow of policy control is not changed greatly.

With The development of mobile broadband network technology, new OTT (over The top) applications and services based on mobile broadband emerge in large quantities, and The demand for controlling and charging OTT services based on DPI (Deep packet inspection) service awareness on mobile broadband networks is increasing. However, the gateway can only obtain the Service policy signed by the user and the core network from policy control function entities such as PCRF or AAA, etc., and to implement sensing and identification of OTT Service, participation of SP/CP is required, for example, SP (Service Provider) or CP (Content Provider) synchronizes the data signed by the user and SP/CP (including OTT Service data, such as OTT Service access URL or server address, etc., and user data, such as whether the user signs the OTT Service) to the core network, or SP or CP provides a policy control server by itself, for the gateway to query when the user accesses the OTT Service. In any way, the direct or frequent interaction between the SP or CP and the core network may bring risks of network security and service data security, and meanwhile, certain problems exist in performance overhead, data synchronization, deployment cost and the like, so that it is difficult to realize dynamic identification and policy control of the operator on the OTT service. In addition, due to the popularization of encrypted services such as HTTPS, after service stream data between a terminal and an SP or CP server is encrypted, it is difficult for a policy enforcement entity to accurately identify and control the service through its own service awareness or analytic capability.

Therefore, a solution is needed, which is not affected by service data encryption while not increasing security risk and performance pressure of the core network, and which implements dynamic installation of OTT service policies in the core network, and meets the requirement of rapid deployment of new services.

Disclosure of Invention

The embodiment of the invention provides a method, a device and a system for realizing policy control, which are used for realizing the perception of a core network on user access service and carrying out corresponding policy control.

In a first aspect, an embodiment of the present invention provides a scheme for implementing policy control, where a core network opens a service policy to an application server, the application server further authorizes the service policy to a user equipment, and the user equipment pushes, to the core network, the service policy to be used for accessing the application server before accessing a service provided by the application server, so that the core network equipment performs policy control, such as charging, QoS, routing, gating, and redirection, on a service flow or a data packet between the user equipment and the application server according to the service policy pushed by the user equipment. Because the user equipment is most clear about the service to be accessed, the accuracy of the policy control is improved and the difficulty of the core network in service perception is reduced by enabling the user equipment to participate in the process of the core network policy determination or policy control.

In one possible design, the core network includes a session management function entity, a user plane function entity, and a policy control function entity. The session management functional entity is used for receiving a service policy identifier sent by the user equipment, sending the service policy identifier to the policy control functional entity, receiving a service policy corresponding to the service policy identifier sent by the policy control functional entity, and sending the service policy to the user plane functional entity; the policy control function entity is used for receiving the service policy identifier sent by the session management function entity and sending the service policy corresponding to the service policy identifier to the session management function entity; and the user plane functional entity is used for receiving the service strategy sent by the session management functional entity and carrying out strategy control on the data message sent by the user equipment according to the service strategy. The core network equipment directly obtains the service strategy of the service to be accessed by the user equipment through the user equipment, thereby avoiding frequent and direct message or signaling interaction between the core network and an application server or other service strategy management equipment for obtaining the service strategy, reducing the message interaction between the core network and external equipment, improving the performance of the core network equipment and reducing the safety risk of interaction between the core network and the external network.

In a possible design, the session management function entity receives the service policy identifier sent by the user equipment through the control plane, that is, the session management function entity includes the service policy identifier sent by the user equipment in the received control plane message.

In a possible design, the session management functional entity receives a service policy identifier sent by the user equipment through the user plane functional entity, that is, the user plane functional entity receives user plane data sent by the user equipment, the user plane data includes the service policy identifier sent by the user equipment, and the user plane functional entity sends the service policy identifier to the session management functional entity.

In a possible design, in order to enable the user equipment to send the service policy identifier to the user plane functional entity through the user plane, the user plane functional entity sends the address of the user plane functional entity to the user equipment in advance, so that the user equipment sends the user plane data to the address of the user plane functional entity.

In a possible design, the session management functional entity further allocates a label to the service policy corresponding to the service policy identifier, and sends the label to the user equipment and the user plane functional entity; therefore, the user plane functional entity can determine the corresponding service strategy according to the label and carry out strategy control on the data message which is sent by the user equipment and contains the label according to the service strategy corresponding to the label.

In a possible design, the session management functional entity assigns a label to the service policy corresponding to the service policy identifier, and sends the label to the user equipment through the user plane functional entity. That is, the session management functional entity sends the allocated tag to the user plane functional entity, the user plane functional entity records the tag and the corresponding service policy, and sends the tag to the user equipment, and subsequently receives the data message sent by the user equipment, and if the data message contains the tag, performs policy control on the data message according to the service policy corresponding to the tag.

By the two methods for distributing the label to the service strategy corresponding to the service strategy identifier, the user plane functional entity can accurately sense the data message of the user equipment and perform accurate service strategy control, thereby solving the problem that the user plane functional entity cannot sense the service because the user equipment encrypts the payload part in the data message.

In one possible design, the service policy identifier is allocated by the policy control function entity, and when the application server requests the policy control function entity to sign or subscribe the service policy, the policy control function entity allocates the service policy identifier to the service policy signed or subscribed by the application server. The application server sends the service strategy identification to the user equipment, and the user equipment pushes the service strategy identification to the core network when accessing the application server.

In one possible design, the core network further includes a network openness function entity, which serves as a unified platform or interface for the core network to open network capabilities to the outside. The network open functional entity provides an open interface for the application server, receives a request message of the application server signing a service strategy, sends the request message to the strategy control functional entity, and is also used for receiving a service strategy identifier distributed by the strategy control functional entity and sending the service strategy identifier to the application server.

In a possible design, the policy control function entity of the core network may also not allocate the service policy identifier to the service policy signed by the application server, but directly issue the content of the service policy signed by the application server to the application server through the network open function entity, and what the application server issues to the user equipment will also be the content of the service policy, instead of the service policy identifier described above. In this case, as in the method and design described above, what the core network user plane functional entity or control plane functional entity receives in the user plane or control plane is the service policy pushed by the user equipment, rather than the service policy identifier. The user plane functional entity or the session management functional entity may further send the received service policy to the policy control functional entity for confirmation, for example, determine whether the core network supports the service policy pushed by the user equipment, and after the policy control functional entity confirms, the user plane functional entity executes the service policy pushed by the user equipment.

In a second aspect, an embodiment of the present invention provides a method for implementing policy control, where the method is applied to a scenario where a user equipment accesses a service provided by an application server through a core network, and the user equipment sends a service policy identifier to the core network, so that the core network performs policy control on a data packet between the user equipment and the application server according to a service policy corresponding to the service policy identifier.

In one possible design, the user equipment obtains the service policy identification from the application server. After a user logs in an application server through user equipment, the application server authorizes the user to use a service strategy signed by the application server and a core network according to the attribute of the user, and sends a service strategy identifier to the user equipment.

In a possible design, the user equipment sends the service policy identifier to the core network through the control plane, that is, the user equipment sends a message, such as a NAS (Non-Access-Stratum) message, to the control plane functional entity of the core network, where the message includes the service policy identifier.

In a possible design, the user equipment sends the service policy identifier to the core network through the user plane, that is, the user equipment sends user plane data to the user plane functional entity of the core network, and the user plane data includes the service policy identifier. In this case, the user equipment needs to first obtain the address of the user plane functional entity, and in a possible design, the user equipment may obtain the address of the user plane functional entity of the core network in a response message for querying the address of the application server.

In one possible design, after the user equipment sends the service policy identifier to the core network, the user equipment receives a label distributed by the core network for the service policy corresponding to the service policy identifier through control plane information or user plane data; the user equipment contains a label in a user interface data message sent to the application server, so that the core network determines a corresponding service strategy according to the label and performs corresponding strategy control on the data message containing the label.

In a third aspect, an embodiment of the present invention provides a ue implementing policy control, where the ue has a function of implementing the ue in the method described in the second aspect. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

In one possible design, the user equipment includes a communication interface, a memory, and a processor, where the communication interface is configured to communicate with a core network, send messages to the core network, or receive messages sent by the core network; a memory for storing computer execution instructions; a processor, connected to the memory and the communication interface via the bus, for executing computer-executable instructions stored in the memory when the user equipment is running, so as to enable the user equipment implementing policy control to perform the method for implementing policy control according to any one of the above second aspects.

In a fourth aspect, an embodiment of the present invention provides a method for implementing policy control, where an application server obtains a service policy identifier from a core network, where the service policy identifier is an identifier of a service policy that the core network authorizes the application server to use; the application server sends the service strategy identification to the user equipment so that the user equipment instructs the core network to adopt the service strategy corresponding to the service strategy identification to carry out strategy control on the service flow between the user equipment and the application server.

In a fifth aspect, an embodiment of the present invention provides an application server implementing policy control, including a communication interface, a memory, and a processor. The communication interface is used for communicating with a core network, receiving a service strategy identifier sent by the core network, communicating with user equipment and sending the service strategy identifier to the user equipment; the memory is used for storing computer execution instructions and business strategy identification; and the processor is connected with the memory and the communication interface through the bus, and when the application server runs, the processor executes the computer execution instructions stored in the memory so as to enable the application server to execute the method for realizing the policy control according to the fourth aspect.

In a sixth aspect, an embodiment of the present invention provides a system for implementing policy control, including the user equipment and the core network as described in the above aspect.

In a possible design, the system for implementing policy control further includes an application server as described in the above aspect, to sign a service policy with the core network, and send a service policy identifier allocated by the core network to the user equipment.

In a seventh aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to perform the method of the second aspect or the fourth aspect.

In an eighth aspect, embodiments of the present invention provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the second or fourth aspect.

In addition, the technical effects brought by any one of the design manners in the second aspect to the eighth aspect can be referred to the technical effects proxied by the different design manners in the first aspect, and are not described herein again.

Drawings

FIG. 1 is a schematic diagram of a possible system architecture according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a possible concept of the solution provided by the embodiment of the present invention;

fig. 3 is a schematic diagram of a possible core network architecture according to an embodiment of the present invention;

fig. 4 is a schematic diagram of another possible core network architecture according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a possible functional module of a ue according to an embodiment of the present invention;

fig. 6 is a schematic diagram of another possible functional module of the ue according to the embodiment of the present invention;

fig. 7 is a schematic diagram of a possible mapping between a user equipment function module and a hardware module according to an embodiment of the present invention;

fig. 8 is a schematic diagram of a possible functional mode of an application server according to an embodiment of the present invention;

fig. 9 is a schematic flowchart of a possible method for a user equipment to push a service policy through a user plane according to an embodiment of the present invention;

fig. 10a is a schematic diagram of a possible data packet structure sent by a ue according to an embodiment of the present invention;

fig. 10b is a schematic diagram of a possible structure of a data packet received by a user plane functional entity according to an embodiment of the present invention;

fig. 11 is a schematic flowchart of a possible method for a user equipment to push a service policy through a control plane according to an embodiment of the present invention;

fig. 12 is a schematic flowchart of another possible method for a user equipment to push a service policy through a user plane according to an embodiment of the present invention;

fig. 13 is a schematic diagram of a possible computer device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.

Fig. 1 depicts a schematic diagram of a system architecture on which an embodiment of the present invention is based. AS shown in fig. 1, an APP (application) client is installed on a user equipment, a user accesses an Application Server (AS) through the APP client to use or enjoy a service provided by the application server, and a service flow between the APP client and the AS is forwarded through an access network and a core network. In the embodiment of the present invention, the access network or the core network both belong to a communication network, and network elements or functional entities or devices in the access network or the core network may be provided by the same communication network operator or may be provided by different communication network operators, which is not limited in the present invention. The communication network operator is sometimes also referred to simply as operator in embodiments of the present invention. The invention does not limit the types of the user equipment, the access network and the core network. The User Equipment (UE) may be a mobile phone, a computer, a wearable device, a vehicle-mounted device, or other terminal devices with communication functions; the APP client may be an independent client provided by a provider of the AS accessed by the user (e.g., the user accesses the panning server using a mobile phone panning client), or may be a web browser client (e.g., the user logs in a website providing OTT services through an IE browser). The Access network may be a Radio Access network, a fixed Access network or other Access networks such as geran (gsm EDGE Radio Access network), utran (universal Radio Access network), E-utran (evolved utran), etc. The Core network may be a gprs (general Packet Radio service) Packet-switched network, an EPC (Evolved Packet Core) network, a subsequent Evolved network of the EPC network, a future 5G (5rd Generation) network, or other networks. The device in the core network controls or transmits the service flow or data message between the user equipment and the AS according to certain strategies such AS QoS, charging, routing or redirection and the like. The AS is provided by the SP/CP, is connected with the core network, and provides services or services such AS audio and video, media, social interaction and the like for the user by virtue of the access network and the user access control, routing, addressing, data transmission and the like of the core network, such AS OTT services or applications, such AS Tencent video, network audio and video telephone and the like.

With The development of mobile broadband network technology, a great deal of new ott (over The top) applications and services based on mobile broadband emerge, The types of services or applications provided by SP/CP are more and more, The speed of service innovation is faster and faster, but core network equipment encounters many problems when performing service flow detection, such as diverse IP address specifications of service flows, frequent change and no convergence, and a policy enforcement entity cannot timely acquire comprehensive and accurate IP address characteristics of The service flows; a large amount of service flows apply an encryption algorithm, more and more services are carried by using an HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, HTTP based on a Secure Socket Layer), encryption of the service flows makes an AS service accessed by a user equivalent to a black box for a core network, and a DPI capability of a core network device is greatly challenged.

In order to solve the above problems and better implement the perception of the user access service and perform corresponding policy control, embodiments of the present invention provide a technical solution for opening a service policy, so as to implement dynamic service policy control. The service policy opening proposed by the embodiment of the present invention can be understood as an operator capability opening solution. The traditional operator capability openness means that an operator provides service capabilities (such as voice, short message, conference, and the like) of an operator network to a third party through an Application Programming Interface (API) or other open interfaces, so that the third party can call the service capabilities of the operator network through the open interfaces to provide richer service experience, for example, an IoT service provider can provide services such as intelligent home, intelligent security, remote care, and the like based on the communication capabilities of the operator network. In the technical scheme provided by the embodiment of the invention, in order to enable core network equipment to more accurately detect and policy control the service flow of a user, an operator uses the capacity of defining the service policy AS a new service capacity and opens and authorizes the capacity to an SP/CP providing service or service, the SP/CP authorizes the capacity of defining the service policy to the user, and the user equipment pushes the service policy to the core network, so that the core network equipment performs policy control such AS charging, QoS, routing, gating, redirection and the like on the service flow or data message between the user equipment and the AS according to the service policy. The service policy opening scheme provided by the embodiment of the invention realizes that an operator opens a defined service policy as a service capability to the SP/CP, and then the SP/CP authorizes the legal user of the SP/CP, thereby achieving the actual effect and the purpose of defining the service policy by the user within the authorization range of the operator.

Based on the above concept, fig. 2 further describes the solution of the embodiment of the present invention by taking a 5G core network architecture as an example. Fig. 2 does not limit the access mode of the UE to the 5G core network, and the UE may access the 5G core network through a WiFi or 5G access network or other access modes. In a 5G core network, a core network device or a network element or a functional entity is separated into a Control Plane (CP) functional entity and a User Plane (UP) functional entity, where the Control plane functional entity implements mobility management, session management, policy Control, network capability opening and other functions, and the User plane functional entity implements forwarding of a User service flow or a data packet and performs policy Control such as QoS, charging, routing or redirection on the service flow or the data packet according to a policy. The scheme provided by the embodiment of the invention comprises the following steps:

s1: AS signing up with core network (or "subscription" or "registration" or other names may also be used, and the embodiment of the present invention is not limited by this) service policy

The AS signs a service policy to the core Network through an open interface provided by the core Network to the outside, for example, the core Network presents a supportable service policy to the outside in a website form, the AS provider may select a service policy to be signed from a service policy list provided by a core Network operator, for example, the AS may first query a service policy supported by the core Network through an API interface opened to the outside through an NEF (Network Exposure Function), and then select a part of the service policy to subscribe or sign, the AS may also directly sign a service policy desired to be used to the core Network through the API interface of the NEF, and the core Network determines whether the service policy required by the AS can be supported, and the signing or subscribing modes are various, which is not limited in the present invention. In fig. 2, it is assumed that the control plane of the core network CP includes a network element or a functional entity providing a network open function and a network element or a functional entity providing a service policy control or authorization function. And the AS sends a service strategy subscription message to the CP. The CP determines, from the service policies to be signed by the AS, a service policy that can be used by the service provided by the AS according to the capability category of policy control that can be provided by the core network, and possibly information such AS the service type of the service provided by the AS and the attribute of the AS (e.g., the level of the AS provider, the credit degree, etc.), and authorizes the service provided by the AS to be used. Through the step of S1, the AS obtains the service policy authorized by the core network. In order to identify a service policy signed by an AS inside the core network, the core network may further allocate, to the service policy authorized by the AS, an indication information for indicating the service policy, such AS a service policy identifier, and the service policy identifier may also be automatically allocated by the AS according to an encoding rule negotiated with the core network and sent by the AS to the CP in a request message for signing a service package. It should be noted that the service policy signed by the AS may be one service policy, or may include multiple service policies, such AS charging, routing, redirection, QoS, and the like, and accordingly, the service policy identifier may identify one service policy, or may identify a set of multiple service policies. It should be noted that, by introducing the service policy identifier, the core network in the embodiment of the present invention can identify not only the service policies signed by different ASs, but also different service policy sets signed by the same AS, AS two charging policies signed by one AS, and respectively authorized to users of different levels to use, in this case, the core network respectively allocates one service policy identifier to the two charging policies signed by the AS. It should be noted that the "service policy identifier" is only a name, and the name itself does not limit the present solution, for example, in a specific implementation, the present invention may also be referred to as a "service identifier" or a "policy identifier" or a "identifier," and the present invention does not limit the name, and as long as the present invention has the function of the "service policy identifier" in the embodiment of the present invention, the present invention is within the protection scope of the present invention.

S2: AS authorization UE service policy

A user logs in or accesses an AS through a UE (specifically, through an APP client on the UE), and the AS sends at least one of information of a service policy and a service policy identifier that can be used by the UE to access the service to the UE according to information such AS a service accessed by the UE and attributes (such AS priority, user type, prepaid or postpaid, and the like) of the UE, that is, information of the service policy authorized to be used by the user is sent to the UE. It should be noted that the server for authenticating and authorizing the user may be different from the server for the UE to initially log in, for example, the SP/CP may deploy a unified portal server, and after receiving the log-in request message of the UE, the portal server forwards the log-in request of the user to the user data server for authentication or authorization; in addition, the server storing the user data and the service subscription data may be different from the server authenticating and authorizing the user; the embodiment of the invention does not limit the forwarding between the SP/CP servers and the name of the server, and is generally called AS. It should be noted that the AS may also authorize the UE to use the service policy in other manners, for example, preset a service policy identifier and a service policy identifier authorization rule in the APP client, where the APP client locally determines the attribute of the user and selects the service policy identifier for use according to the preset rule.

S3: the UE pushes the service strategy to the core network, and the UE can select to push the service strategy to the core network through a user plane or a signaling plane.

It should be noted that, the AS may sign multiple service policies, and there may be multiple service policies authorized by the AS to the user, and the UE may only select a part of service packages or policies to be pushed to the core network, and these pushed service packages or policies may be a service policy selected by the user in an interactive manner through a ui (user interface) by the APP client on the UE, or may be a service policy to be used selected according to a rule preset or configured in the APP client.

S3-a: the UE pushes a service strategy through a user plane: and the UE encapsulates at least one of the service strategy and the service strategy identification authorized by the AS into a service flow or a data message and sends the service flow or the data message to the core network user plane equipment through the user plane data. In order to enable the user plane device in the core network of the operator to sense the service flow or the data packet or the service flow of the pushed service policy, the UE may add an indication (for example, a service policy pushing indication is added at the IP, UDP, TCP, or HTTP header of the service flow) to the service flow, the user plane device in the core network detects the service flow, and processes the service flow including the indication according to the method in S4-a; the UE may also fill the target address of the service flow, the data packet, or the service flow in the policy configuration address of the UPF, and the service flow sent to the policy configuration address is analyzed and processed by the UPF as a service policy configuration message according to the method described in step S4-a. The policy configuration address may be sent to the OTT server by the core network operator through the service policy subscription process in step S1, and then the OTT server is sent to the UE in step S2, or may be sent to the UE by a network element or a functional entity in the core network in a signaling manner, or may be sent to the UE by the UPF on the user plane in the process of establishing a connection between the UE and the AS. Certainly, the UPF may also send the address of the UPF to the UE AS the address of the AS in a process of establishing a connection between the UE and the AS, where the UPF actually serves AS a proxy between the UE and the AS to analyze and forward a service flow and a service flow or a data packet between the UE and the AS, and in order to enable the UPF to distinguish the service flow or the data packet of the push service policy from the service flow or the data packet of the access AS service, the UE may encapsulate the service flow or the data packet of the push service policy and the service flow or the data packet of the access AS service into different formats (for example, the service flow or the data packet between the UE and the AS is encapsulated into an HTTPS format, and the service flow or the data packet of the UE push service policy is encapsulated into an SIP format), so AS to distinguish the UPF, and the UE may further identify the service flow or the data packet of the push service policy by using a specific message type or an indication of another type.

S3_ b: the UE pushes the service strategy through the control plane: the UE encapsulates at least one of the service policy and the service policy identifier authorized by the AS into a control plane message, such AS a Non-Access-Stratum (NAS) message, and pushes the service policy to a control plane network element or a functional entity of the core network. The message name and message format of the control plane message of the push service policy are not limited in the present invention.

S4: and the core network receives the service strategy pushed by the UE. Two different processing modes also exist in the core network corresponding to two service pushing strategy modes of the UE.

S4-a: the user plane network element or the functional entity receives user plane data of a UE pushing service strategy, at least one item of information of the UE pushing service strategy and a service strategy identification is sent to the control plane network element or the functional entity, the control plane network element or the functional entity checks the service strategy pushed by the UE, and the checking action comprises the step of judging whether the service strategy pushed by the UE is a service strategy supported by a core network. And if the verification is successful, the control plane informs the user plane to execute the service strategy pushed by the UE.

S4_ b: and the control plane network element or the functional entity receives a control plane message of the UE pushing service strategy and verifies the service strategy pushed by the UE, wherein the action of verification comprises the step of judging whether the service strategy pushed by the UE is the service strategy supported by the core network. And if the verification is successful, the control plane informs the user plane to execute the service strategy pushed by the user.

It should be noted that, the check of the core network on the service policy identifier is an optional action, and the purpose is to improve the reliability and the security of the scheme in the embodiment of the present invention, the check action of the core network control plane on the service policy pushed by the UE may further include determining whether the service policy pushed by the UE is a service policy signed by a service provided by an AS, in this case, the UE further includes identification information of an AS service to be accessed by the UE in a user plane service stream or a data packet or a control plane message of the pushed service policy, so that the core network determines whether the service policy pushed by the UE is a service policy signed by an AS. In a possible implementation, the AS service identifier may be used AS a single identifier, where the identifier is an identifier that the core network can uniquely identify the AS service, and is allocated by the core network or the AS for the AS service, and the AS is sent to the UE in step S2. In another possible implementation scheme, the identification information of the AS service may be embodied in the service policy identifier through a specific coding rule, and for example, under the condition that the coding rule of the service policy identifier is "core network operator code + AS provider code + AS service code + authorized service policy code", the identification information of the AS service and the information of the authorized service policy of the AS service may be embodied in the service policy code; of course, the service policy identifier may also uniquely identify a service policy subscribed by a certain AS in the core network through other encoding rules, which does not exclude other possible encoding manners in the embodiment of the present invention, and is not limited to this.

In addition, the core network also allocates a label or a feature word to the UE, so that the UE includes the label or the feature word in a user plane service flow or a data packet of a subsequent access service provided by the AS to indicate a user plane functional entity or a network element, and the service flow or the data packet uses a service policy pushed by the UE. The label or the feature word is distributed by the control plane, and is sent to the UE by the user plane or the control plane functional entity or the network element in the response message of the push service policy sent to the UE.

S5: the core network returns a response message to the UE and executes the service strategy.

S5-a/S5_ b: and according to different modes of pushing the service policy by the UE, the user plane or control plane functional entity or the network element returns a response message of pushing the service policy to the UE, wherein the response message comprises a label or a characteristic word corresponding to the service policy. If the UE includes the label or the feature word in a service flow or data packet accessing the service provided by the AS in the future, the user plane functional entity or the network element executes a corresponding service policy on the service flow or data packet including the label or the feature word.

Based on the application scenario diagram shown in fig. 1 and the technical solution concept diagram shown in fig. 2 according to the embodiment of the present invention, fig. 3 and fig. 4 further show network architecture diagrams for implementing the technical solution concept of the present invention under two different network types.

The E-UTRAN in fig. 3 is an example of the access network in fig. 1. Correspondingly, the core Network in fig. 1 is exemplified as an EPC Network in fig. 3, and includes functional entities or Network elements such as an MME (Mobility Management Entity), a PCRF (policy charging Management Entity), an SGW (Serving Gateway), a PGW (Packet Data Network Gateway), an SCEF (Service Capability Exposure Function), and the like. The MME is responsible for mobility management and connection management of the UE, and selects gateways such as SGW and PGW for the UE. The SGW is connected to the E-UTRAN access network, and the PGW is connected to the AS. The PGW takes charge of the function of a policy enforcement entity in the EPC network, detects the service flow according to the charging and control policy indicated by the PCRF, and enforces the control policy matched with the service flow. The SCEF is used AS an external capability open interface of the core network and is connected with the AS, and the AS signs a service strategy to the core network through the SCEF. And the PCRF manages the service strategy signed or signed by the user and the AS. In actual deployment, the SGW and the PGW may be deployed in a merged manner, that is, the same gateway supports the functions of the SGW and the PGW at the same time. The SGW or the PGW may also perform separation of a Control Plane function and a User Plane function, where a PGW-C (Control Plane) is responsible for interacting with the PCRF to obtain charging and Control policies of the User, and pushing the policies to a PGW-U (User Plane), and the PGW-U is responsible for detecting a service flow, matching the policies, and executing the policies. For convenience of comparison with fig. 2, in fig. 3, the network elements of the core network are divided into CP and UP by dashed boxes, it should be noted that this division is only schematic, and the embodiment of the present invention does not make any limitation on the separation and division of the control plane and the user plane of the EPC network. In the embodiment of the invention, when the UE accesses the service provided by the AS, under the condition of obtaining the authorization of the AS, the PGW-U pushes the service strategy through the user plane, or the PGW-C pushes the service strategy through network elements such AS MME, SGW-C and the like, after the functional entities such AS PGW-C, PCRF and the like or the network elements verify the service strategy pushed by the UE, the PGW-U executes the service strategy pushed by the UE, and carries out corresponding strategy control on the service flow between the UE and the AS.

Fig. 4 is a schematic diagram of a network architecture under a 5G architecture according to an embodiment of the present invention. It should be noted that, since the architecture of the 5G core network is not formally determined at the date of the present application, the name and the deployment form of the network entity of the 5G core network described in the embodiment of the present invention are merely examples, and do not constitute limitations on the technical solution and related functional entities of the present invention, and no matter how the name, the location, and the interaction relationship of these network entities change in the future, it is within the scope of the present invention as long as the network entity in the embodiment of the present invention has the function. The 5G core network in fig. 4 comprises control plane functional entities and user plane functional entities. The CP functional entity includes an AMF (Access and Mobility Management Function), an SMF (Session Management Function), a PCF (Policy Control Function), and a NEF; the functional entity of UP is UPF (user Plane function). The AMF is responsible for mobility management and access management of the UE, the SMF is responsible for session management, and the UE is attached to a core network through the AMF and the SMF. The UPF controls and forwards the service flow or data message between the UE and the AS. The NEF is used AS an external open interface of the core network, the AS signs a service strategy to the core network through the NEF, and the PCF is responsible for the management of the AS signing service strategy. In the embodiment of the invention, when the UE accesses the service provided by the AS, under the condition of obtaining the authorization of the AS, the UPF executes the service strategy pushed by the UE after the service strategy pushed by the UE is pushed to the SMF through the user plane UPF or the network elements such AS the AMF and the like and is verified by the control plane functional entities such AS the SMF, the PCF and the like, and the UPF carries out corresponding strategy control on the service flow between the UE and the AS.

Fig. 3 and fig. 4 are two examples of network architectures according to the technical solution of the present invention, and it is within the scope of the present invention for those skilled in the art to design an implementation solution suitable for other types of networks according to the content of the embodiment of the present invention, as long as the network entity in the implementation solution has the function of the network entity in the embodiment of the present invention.

Fig. 5 is a schematic diagram of a possible functional structure of a UE in the embodiment of the present invention. The UE500 includes an application client module 501, a service policy configuration module 502, a communication protocol stack module 503, and a communication module 504. Each functional block will be described with reference to fig. 2 as an example. In step S2, the application client module 501 (e.g., APP client software installed on a mobile phone) constructs an application layer message (e.g., login or service access request message) to be sent to the application server, encapsulates the message or message into a message that can be transmitted in the core network through the communication protocol stack module 503 (e.g., encapsulates a transmission layer or network layer message header or message header on the outer layer of the application layer message constructed in 501, or performs splitting or reassembly of the message and the message according to a transmission protocol), sends the message or message to the core network through the communication module, and finally forwards the message or message to the application server AS through the core network; similarly, the message (such AS the service policy authorization message) sent by the AS to the application client module is received by the communication module 504, and the application layer message is sent to the application client module 501 after the communication protocol stack module 503 parses the network layer and transport layer protocols. The service policy configuration module 502 is a functional module responsible for pushing the service policy to the core network in the embodiment of the present invention, and after the application client module 501 obtains the service policy authorized by the AS in step S2, the application client module invokes the service policy configuration module 502 to push the service policy to the core network through the control plane or the user plane. The service policy configuration module 502 constructs control plane or user plane data of the pushed service policy, and the control plane or user plane data is encapsulated by the communication protocol stack 503 and sent to the core network by the communication module 504. The response message sent by the core network to the UE in step S5 is received by the communication module 504, and is sent to the service policy configuration module 502 through the parsing of the communication protocol stack module 503, the service policy configuration module 502 sends the received label or feature word returned by the core network to the application client module 501, the subsequent application client module 501 includes the label or feature word on the outer layer of the message payload of the sent application layer message, the core network detects and parses the service flow or data packet sent by the UE to the AS, and performs policy control on the service flow or data packet including the label and feature word.

Fig. 6 is a schematic diagram of another possible functional structure of the UE in the embodiment of the present invention. The modules included in the UE-600 are the same as the functional modules included in the UE-500 in fig. 5. The application client module 601, the service policy configuration module 602, the communication protocol stack module 603 and the communication module 604 in fig. 6 correspond to the application client module 501, the service policy configuration module 502, the communication protocol stack module 503 and the communication module 504 in fig. 5, respectively. In contrast, the service policy configuration module 602 is an internal module of the application client module 601, that is, the application client module 601 includes the function of the service policy configuration module 602. For example, corresponding to a possible product form of fig. 5, software and hardware of a mobile phone that leaves a factory already support the function of the service policy configuration module 502, and the SP/CP only needs to implement the function of the application client module 501 when developing the APP client. For another example, corresponding to a possible product form of fig. 6, software and hardware of a factory of a mobile phone do not support the function of the service policy configuration module 602, and when the SP/CP develops the APP client, the APP client needs to support the function of the application client module 601 including the service policy configuration module 602.

Fig. 5 and 6 are block diagrams of logical functional blocks of the UE, and in an actual UE product, each block shown in fig. 5 or 6 may exist in various forms, and may be implemented by hardware, software, or any combination thereof. Based on the logical functional blocks in fig. 6, fig. 7 shows a possible mapping of the logical functional blocks in fig. 6 to physical components in the UE. The UE-700 contains one AP (Application processor), two BPs (Baseband processor, Baseband processor or Baseband chip). The AP and the BP communicate with each other using an AT command. Those skilled in the art will understand that the UE may further include other physical components such as a display screen, an antenna, or a network interface, which is not limited in the embodiment of the present invention and is not listed in fig. 7. The AP-701 runs a Linux operating system and an application program, and the AP-701 comprises an application client module 601 and a communication protocol stack module 603-1, wherein the communication protocol stack module 603-1 provides functions of an IP protocol stack and an HTTP/HTTPS protocol stack. The BP-702 includes two communication modules 604-1 and 604-2 that provide WiFi and bluetooth transceiving functions, respectively. The BP-703 comprises a communication Protocol stack module 603-2 and a communication module 603-3, wherein the communication Protocol stack module 603-2 provides functions of a SIP (Session Initiation Protocol) Protocol stack and a NAS (Non-Access-state) Protocol stack, and the communication module 604-3 provides wireless transceiving functions such as 2G, 3G, 4G, 5G, and the like. The following describes the relationship between the modules in fig. 7 by taking the UE in fig. 2 sending a message to the core network as an example. In step S2, the communication protocol stack module 603-2 in BP-703 first initiates a procedure that the UE attaches to the core network, then the application client module 601 constructs an application layer message (such AS a request message for logging in or accessing an AS service), and the application layer message is encapsulated into an HTTPS message through encapsulation of the communication protocol stack module 603-1, and then calls the communication module in BP-703 through an AT instruction, and sends the message to the core network. In step S3, the UE wants to push the service policy to the UP of the core network, the application client module 601 invokes the SIP protocol stack capability of the communication protocol stack module 603-2, encapsulates the message of the service policy to be pushed into an SIP format, and pushes the service policy to the user plane of the core network through the communication module 604-3. In step S3, the UE needs to push the service policy to the CP of the core network, the application client module 601 invokes the NAS protocol stack capability of the communication protocol stack module 603-2, encapsulates the message of the service policy push into an NAS message, and pushes the service policy to the control plane of the core network through the communication module 604-3. The above description is about the relationship between modules in fig. 2, where the UE accesses the 5G core network through the 5G-RAN as an example, and of course, the UE may also access the 5G core network through other wireless or wired manners such as WiFi, in which case, the communication messages constructed by the communication protocol stack modules 603-1 and 603-2 need to be sent through the communication module in the BP-702 or other wired communication modules.

It should be noted that, in the functional modules of the UE shown in fig. 5 to fig. 7, each functional module may also be combined or decomposed, for example, the application client module may also have a function of a communication protocol stack module, that is, the application client module may encapsulate and analyze an application layer message according to a protocol between the UE and a communication network, in this case, the communication protocol stack module in fig. 5 to fig. 7 is an internal functional module of the application client module.

The embodiment of the present invention may also divide the AS into functional modules, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one module. The integrated module can be realized in a form of hardware, and can also be realized in a form of a software functional module. It should be noted that, the division of the modules in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation.

For example, fig. 8 shows a schematic diagram of a possible structure of an AS involved in the foregoing embodiment, where the apparatus 800 includes a service policy subscription module 801, a service policy authorization module 802, and a communication module 803. The service policy subscription module 801 interacts with the core network through the communication module 803, and subscribes the service policy to the core network, that is, the function of the AS in step S1 in fig. 2 is implemented; the service policy authorization module 802 interacts with the UE through the communication module 803, authenticates the user and authorizes the service policy, and sends the service policy signed by the AS to the UE, that is, implements the function of the AS in step S2 in fig. 2.

The technical solution of the present invention and the applicable core network architecture, UE and AS are described above, and the following will make further flow descriptions of the technical solution of the embodiments of the present invention with reference to more drawings.

Fig. 9 is a schematic flow chart of a method for policy control of service flows or data packets between a UE and an AS by a UPF through a user plane pushing a service policy when the UE accesses an OTT service (e.g., Tencent video, Sina video, etc.) provided by the AS of an SP/CP (e.g., Tencent, Sina, etc.) through a 5G network based on a network architecture shown in fig. 4. To help understand the technical solution provided by the embodiment of the present invention, the method steps in fig. 9 are mapped with the summary steps in fig. 2 in the form of dashed boxes S1-S5 in fig. 9.

901: the AS sends a service policy subscription request message to the NEF, where the message includes an identifier of the AS and a service policy requested by the AS, and optionally, may also include information such AS an identifier of a service provided by the AS or service content description (e.g., service type).

902: the NEF forwards the service policy subscription request message of the AS to the PCF.

903: the PCF receives the message of the AS subscription service policy sent by the NEF, determines one or more service policies that can be used by the service provided by the AS from the service policies to be subscribed to the AS according to the information (such AS the level of the AS provider, the credit level, etc.) of the service type provided by the AS and the attribute of the AS, and allocates a service policy identifier to the set of the service policies that can be used by the service provided by the AS. The coding rule of the service policy identification is 'core network operator coding + AS provider coding + AS service coding + authorization service policy coding', that is, the service policy coding reflects both the identification information of the AS service and the information of the authorized service policy of the AS service. PCF sends response message to NEF, which carries service strategy and service strategy mark used by AS.

904: the NEF sends the service strategy used by the AS authorized by the PCF and the corresponding service strategy identification to the AS. For example, the Tencent video AS signs a charging strategy to the core network, the charging strategy is a Tencent unified charging strategy, namely the service flow charge of the follow-up UE accessing the Tencent video AS is paid by Tencent in a unified way; for another example, the Tencent video signs two different types of QoS policies, namely a VIP user QoS policy and a common user QoS policy, wherein the VIP user QoS policy is a high-speed high-bandwidth QoS policy, and the common user QoS policy is a basic bandwidth guarantee QoS policy.

905: the UE initiates an attachment process to a 5G core network through a 5G access network, the UE completes the attachment process after passing the authentication process and other processes of the 5G core network, the 5G core network creates a default bearer for the UE, and the UE can access an external network or a server through the 5G access network and the 5G core network.

906: before accessing the AS, the UE firstly carries out DNS query according to the domain name (such AS https:// v.qq.com /) of the AS to obtain the address of the AS. And the UE sends a DNS inquiry request message to the DNS server at the user side.

907: and under the condition that the UPF serves as the DNS server, constructing and sending a DNS inquiry response message to the UE, wherein the address information contained in the DNS inquiry response message is the address information of the UPF. When the UPF is not the DNS server, the UPF intercepts a DNS query request sent by the UE, constructs and sends a DNS query response message to the UE, wherein the contained address information is the address information of the UPF, and then the UPF queries the DNS server to obtain the real address information of the AS; or the UPF intercepts a DNS inquiry response message sent by the DNS server to the UE, and replaces the address information of the AS contained in the DNS inquiry response message with the address information of the UPF. In any way, the UPF sets the UPF AS a proxy or message forwarding agent between the UE and the AS by returning the UPF address to the UE, fills the target address in all subsequent service flows or data packets or service flows sent to the AS by the UE AS the address of the UPF, and forwards the UPF to the AS after processing.

908: the UE initiates the establishment of TCP connection to UPF, and the UPF is used AS proxy to establish TCP connection with AS again. The user initiates a login request to the AS through the UE, the AS authorizes the user to use the service strategy signed by the AS after the authentication of the user is passed, and the AS sends a service strategy identifier corresponding to the service strategy signed by the AS to the UE. For example, if the user is a VIP user of the Tencent video, the Tencent video AS sends a service policy identifier corresponding to a Tencent statistical charging policy to the UE, or sends a service policy identifier corresponding to a QoS policy of the VIP user to the UE, so AS to authorize the user to access the Tencent video service for free or experience the service with high-speed and high-bandwidth QoS to access the Tencent video service.

909: and the UE sends a service strategy updating request to the core network from the user side, and pushes the service strategy which is allowed to be used by the user by the AS to the core network, wherein the message contains a service strategy identifier. When encapsulating the message of the push service policy, the UE may use a message name negotiated with the core network or a specific message format to indicate the UPF that the user plane data is the service policy push message. The embodiment of the invention does not limit the message packaging format of the user plane data.

910: and the UPF receives the service strategy information pushed by the UE, sends the service strategy identifier pushed by the UE to the SMF and requests the control plane to check.

911: SMF receives service strategy checking request message sent by UPF, and forwards the request message to PCF for confirmation and checking.

912: and the PCF checks the service strategy identification pushed by the UE, confirms that the service strategy identification is a legal service strategy identification distributed by the PCF, and sends the service strategy corresponding to the service strategy identification to the SMF.

913: after receiving the service policy passed by the PCF check, the SMF allocates a label to the service policy, where the label is used to identify the service policy corresponding to the user plane. The format of the label may be a number, or a character string composed of letters or numbers or other forms, and the embodiment of the present invention is not limited. The SMF sends both the label and the traffic policy to the UPF.

914: and the UPF sends a service strategy pushing response message to the UE, wherein the message contains the label distributed by the SMF for the service strategy.

815: UE initiates service data to AS, and encapsulates the label on the outer layer of the service data payload. AS shown in fig. 10a, a payload part encapsulated in HTTPS format is a service flow or Data Packet sent by the UE to the AS, and the UE encapsulates a label between a PDCP (Packet Data Convergence Protocol) and the service flow or Data Packet.

916: and the UPF receives a GTP message packet transmitted by the wireless network, acquires a matched service strategy according to the label when detecting that the GTP message is packaged with the label, and performs corresponding charging processing on the service flow or the data message of the UE according to the service strategy. As shown in fig. 10b, the GTP message received by the UPF includes the label. And then the UPF removes the label and sends the service flow or data message of the payload part to the AS.

In the embodiment shown in fig. 9, the UE pushes the service policy to the core network through the user plane, thereby avoiding a large amount of AS from pushing the service flow characteristics and the corresponding service policy to the core network through the AF, simplifying the network topology relationship, avoiding the performance pressure and the security risk of interaction between the core network and the SP/CP network, and improving the network security. Moreover, in the embodiment shown in fig. 9, the UE carries the label corresponding to the service policy, which is allocated by the core network for the UE, in the service flow or data packet header, the label is separated from the service flow or data packet, and the core network does not need to detect or sense the service flow or data packet, even if the service flow or data packet is an encrypted packet, the core network can obtain the service policy corresponding to the current service flow of the UE according to the label in the service flow or data packet header, thereby reducing the difficulty of performing service data detection by the core network and improving the accuracy of service data detection.

In the embodiment shown in fig. 9, the actions related to the UE in step 906 and subsequent flows may be triggered by an APP client installed in the UE, and the APP client invokes other function modules (as shown in fig. 5 to 7) in the UE, and implements the technical solution of the embodiment of the present invention through a service flow or a data packet of a user plane, so that the communication protocol stack is not changed, and the pushing of the service policy can be implemented only by upgrading the APP client in the UE. However, in the scheme shown in fig. 9, the UPF needs to be used AS a proxy between the UE and the AS to forward all service flows and service flows or data packets between the UE and the AS, which increases performance consumption of the UPF. It can be seen from step S4 (910-. However, this approach requires an extension to the control plane protocol (e.g., NAS protocol) to support the pushing of traffic policies.

Fig. 11 is a flowchart of a method for pushing a traffic policy by a UE through a control plane. The 1101-1105 step in fig. 11 is the same as the 901-905 step in fig. 9, and will not be described again.

1106: before accessing the AS service, the UE obtains the address of the AS through DNS query. Unlike the scheme in fig. 9, the UPF does not intercept the DNS query request or response message, and the UE obtains the address information of the real AS through the DNS query. The UE establishes TCP connection to the AS through the UPF, the UE initiates a service request of the AS, such AS an access request or a login request, the AS authorizes the user to use the service strategy signed by the AS after passing the authentication of the user, and the AS sends a service strategy identifier corresponding to the service strategy signed by the AS to the UE.

1107: and the UE constructs a control plane NAS message and sends the NAS message to the SMF, wherein the NAS message comprises a service strategy identifier. NAS messages sent by the UE to the SMF may also need to be forwarded by other control plane functional entities or network elements, such as AMF, and are not described herein again.

1108-1110: the SMF sends the service strategy pushed by the UE to the PCF for verification, and after the verification is passed, the SMF sends the service strategy passed by the verification and the label distributed by the SMF to the UPF. See the description of the 911-913 step in FIG. 9 for details.

1111: and the SMF sends a service strategy pushing response message to the UE, wherein the message contains the label distributed by the SMF for the service strategy. It should be noted that steps 1111 and 1110 partially succeed in sequence.

1112: the UE stores the label, and establishes a corresponding relationship between the label, the service policy identifier, and the AS, for example, establishing a mapping relationship between the AS address and the label. And the UE sends the service data to the AS, and a label corresponding to the AS is packaged on the outer layer of the payload of the service data. The UPF detects the service flow between the UE and the AS, acquires a service strategy corresponding to the label for the service flow or the data message containing the label, performs corresponding strategy control on the service flow or the data message, and sends the service data to the AS.

Fig. 9 and fig. 11, taking a 5G core network as an example, describe a method flow for pushing a service policy through a user plane and a control plane in the embodiment of the present invention. The service policy pushing method provided by the embodiment of the invention is also suitable for other types of networks, such as 4G core networks. Fig. 12 is a flowchart of a method for a UE to push a service policy to a 4G core network through a control plane, where the SGW/PGW-C, the SGW/PGW-U, the PCRF, and the SCEF in fig. 12 implement functions of the SMF, the UPF, the PCF, and the NEF in fig. 11, respectively, and the method flows are similar and are not described again here. It should be noted that, similar to fig. 11, the control plane message sent by the UE to the SGW/PGW-C needs to be forwarded by other 4G core network elements, such as MME, and these other message forwarding network elements are not listed in the figure. It should be further noted that, in fig. 12, SGW/PGW-C represents SGW-C or PGW-C, SGW/PGW-U represents SGW-U or PGW-U, and the functions of SGW/PGW-C and SGW/PGW-U may be implemented in separate entities or in one entity. The process shown in fig. 12 may also be applied to a scenario in which the 4G core network does not separate the control plane from the user plane, and in this scenario, the SGW/PGW-C and the SGW/PGW-U are implemented in one entity.

Those of skill in the art will readily appreciate that the present invention can be implemented in hardware or a combination of hardware and computer software, with the exemplary elements and algorithm steps described in connection with the embodiments disclosed herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

For example, AS shown in fig. 13, the UE, the AS, and the functional entities in the core network, such AS SMF, PCF, UPF, PGW, etc., described in the embodiment of the present invention may all be implemented by the computer device (or system) in fig. 13.

Fig. 13 is a schematic diagram of a computer device according to an embodiment of the present invention. Computer device 1300 includes at least one processor 1301, a communication bus 1302, memory 1303, and at least one communication interface 1304.

The processor 1301 may be a general processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more ics for controlling the execution of programs in accordance with the present invention.

The communication bus 1302 may include a path that conveys information between the aforementioned components.

Communication interface 1304, using any transceiver or the like, is used to communicate with other devices or core networks, such as ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), etc.

The memory 1303 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.

The memory 1303 is used for storing application program codes for executing the present invention, and the processor 1201 controls the execution. The processor 1301 is configured to execute the application program code stored in the memory 1303, thereby implementing the functions in the method of the present patent.

In particular implementations, processor 1301 may include one or more CPUs, such as CPU and CPU1 in fig. 13, for example.

In particular implementations, computer device 1300 may include multiple processors, such as processor 1301 and processor 1308 in fig. 13, as an embodiment. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

In particular implementations, computer device 1300 may also include an output device 1305 and an input device 1306, as one embodiment. The output device 1305, which is in communication with the processor 1301, may display information in a variety of ways. For example, the output device 1205 may be a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, a projector (projector), or the like. Input device 1306 is in communication with processor 1301 and may accept input from a user in a variety of ways. For example, the input device 1306 may be a mouse, a keyboard, a touch screen device, or a sensing device, among others.

The computer device 1300 may be a general-purpose computer device or a special-purpose computer device. In a specific implementation, the computer device 1300 may be a desktop computer, a laptop computer, a web server, a Personal Digital Assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, an embedded device, or a device with a similar structure as in fig. 13. Embodiments of the invention are not limited by the type of computer device 1300.

Those skilled in the art will appreciate that UE-500, UE-600, UE-700, or AS-800 may take the form shown in FIG. 13. For example, the application client module 601 in fig. 6 or the service policy authorization module 802 in fig. 8 may be implemented by the processor 1301 in fig. 13 calling a code in the memory 1303, which is not limited in this embodiment of the present invention.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, and it should be understood by those skilled in the art that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention. In the claims, "comprising" once does not exclude other elements or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

1. A core network for implementing policy control, comprising a session management function entity, a user plane function entity, and a policy control function entity, wherein,

the session management functional entity is used for receiving a service policy identifier from user equipment, sending the service policy identifier to the policy control functional entity, receiving a service policy corresponding to the service policy identifier sent by the policy control functional entity, and sending the service policy to the user plane functional entity, wherein the service policy identifier is obtained by interaction between the user equipment and an application server;

the policy control function entity is configured to receive a service policy identifier sent by the session management function entity, and send a service policy corresponding to the service policy identifier to the session management function entity;

and the user plane functional entity is used for receiving the service strategy sent by the session management functional entity and carrying out strategy control on the data message from the user equipment according to the service strategy.

2. The core network of claim 1, wherein the session management function entity is configured to receive a service policy identifier from a user equipment, and specifically includes:

and the session management function entity is used for receiving a control plane message, wherein the control plane message comprises the service policy identifier from the user equipment.

3. Core network in accordance with claim 1,

the user plane functional entity is further configured to receive user plane data from the user equipment, where the user plane data includes the service policy identifier from the user equipment;

the session management functional entity is configured to receive a service policy identifier from a user equipment, and specifically includes that the session management functional entity is configured to receive a message sent by the user plane functional entity, where the message includes the service policy identifier from the user equipment.

4. The core network of claim 3, wherein the user plane function entity is further configured to send an address of the user plane function entity to the user equipment, so that the user equipment sends user plane data to the address of the user plane function entity.

5. Core network in accordance with claim 2,

the session management functional entity is further configured to allocate a label to the service policy corresponding to the service policy identifier, and send the label to the user equipment and the user plane functional entity; the user equipment includes the label in the sent user plane data, and the user plane functional entity determines the corresponding service strategy according to the label;

and the user plane functional entity is further configured to receive the tag, and perform policy control on the data packet including the tag from the user equipment according to a service policy corresponding to the tag.

6. Core network in accordance with claim 4,

the session management functional entity is further configured to allocate a label to the service policy corresponding to the service policy identifier, and send the label to the user plane functional entity;

and the user plane functional entity is further configured to receive the tag, send the tag to the user equipment, and perform policy control on a data packet containing the tag from the user equipment according to a service policy corresponding to the tag.

7. The core network according to any of claims 1-6, wherein the policy control function entity is further configured to receive a request message for the application server to sign a service policy, allocate a service policy identifier to the service policy that the application server requests to sign, and send the service policy identifier to the application server.

8. The core network of claim 7, wherein the core network further comprises a network open function entity, configured to provide an open interface to the application server, receive a request message for the application server to sign a service policy, and send the request message to the policy control function entity, and further configured to receive the service policy identifier assigned by the policy control function entity, and send the service policy identifier to the application server.

9. A method for implementing policy control, applied to a scenario in which a user equipment accesses a service provided by an application server via a core network, is characterized in that,

and the user equipment sends a service policy identifier to the core network so that the core network performs policy control on the data message between the user equipment and the application server according to a service policy corresponding to the service policy identifier, wherein the service policy identifier is obtained by interaction between the user equipment and the application server.

10. The method of claim 9, wherein the user equipment obtains the traffic policy identification from the application server.

11. The method according to claim 9 or 10, wherein the user equipment sends a message to a control plane function entity of a core network, and the message includes the service policy identifier.

12. The method according to claim 9 or 10, wherein the user equipment sends user plane data to a user plane function entity of the core network, the user plane data including the service policy identifier.

13. The method according to claim 12, wherein the ue sends the user plane data to the user plane function entity of the core network, specifically comprising the ue obtaining an address of the user plane function entity of the core network in a response message inquiring about the address of the application server, and the ue sending the user plane data to the address.

14. The method of claim 9 or 10, wherein the method further comprises:

after the user equipment sends the service policy identifier to the core network, the user equipment receives a label distributed by the core network for a service policy corresponding to the service policy identifier;

the user equipment includes the label in the user interface data message sent to the application server, so that the core network determines the corresponding service strategy according to the label and performs corresponding strategy control on the data message of the label.

15. A user equipment for implementing policy control, comprising

The system comprises an application client module, a communication module and a service module, wherein the application client module is used for constructing a control plane message or user plane data sent to a core network and sending the control plane message or the user plane data to the communication module, and the control plane message or the user plane data comprises a service strategy identifier;

the communication module is configured to send the control plane message or the user plane data generated by the application client module to the core network;

the application client module is also used for sending the service policy identifier to the core network and obtaining the service policy identifier; and the interactive data message between the application client and the application server is sent or received through the communication module.

16. The user equipment of claim 15,

the communication module is further configured to receive a control plane message or user plane data sent by the core network, and send the control plane message or user plane data sent by the core network to the application client module, where the control plane message or user plane data sent by the core network includes a label allocated by the core network for a service policy corresponding to the service policy identifier;

the application client module is further configured to analyze the control plane message or the user plane data sent by the core network to obtain the tag.

17. The user equipment of claim 16,

the application client module is further configured to construct a data packet sent to an application server, and send the data packet to the communication module, where the data packet includes the tag, so that the core network determines a corresponding service policy according to the tag, and performs policy control on the data packet according to the service policy;

the communication module is further configured to send the data packet to the application server.

18. A session management function entity, comprising:

a module for receiving a service policy identifier from a user equipment, wherein the service policy identifier is obtained by interaction between the user equipment and an application server;

a module for sending the service policy identifier to a policy control function entity;

a module for receiving a service policy corresponding to the service policy identifier from a policy control function entity; and

and the module is used for sending the service strategy to a user plane functional entity.

19. The session management functional entity of claim 18, wherein the means for receiving a traffic policy identifier from a user equipment is specifically configured to receive a control plane message, and the control plane message includes the traffic policy identifier from the user equipment.

20. The session management functional entity of claim 18, wherein the module configured to receive a service policy identifier from a user equipment is specifically configured to receive a message sent by the user plane functional entity, and the message includes the service policy identifier from the user equipment.

21. A session management function according to any of claims 18-20, further comprising:

a module for allocating a label to the service policy corresponding to the service policy identifier, and a module for sending the label to the user equipment and the user plane functional entity, where the label is used to enable the user equipment to include the label in the sent user plane data, and enable the user plane functional entity to determine the corresponding service policy according to the label.